CI: migrate Docker build/push from Woodpecker to GitHub Actions

Was: Woodpecker built+pushed to DockerHub, then `kubectl set image` patched the four Deployments to a pinned numeric tag. With Deployments pinned to :51 (immutable tag), Keel polled forever and never saw a digest bump — and no DockerHub pull-secret meant Keel hit 401 on the private repo at every poll. The 4-Deployment setup also had a latent ImagePullBackOff risk: if a node was replaced, fresh pulls would fail. Now: GHA builds+pushes (.github/workflows/build-{api,frontend}.yml) on push to master. Cluster Deployments reference :latest with an imagePullSecret sourced from Vault via ESO (codified in infra/stacks/real-estate-crawler/ main.tf, separate commit). Keel polls :latest, sees the new digest after each GHA build, and rolls all four Deployments. - .github/workflows/build-api.yml: pytest (unit + integration/regression/ e2e/test_listing_geojson) + buildx push viktorbarzin/realestatecrawler to {<8-char-sha>, latest}. - .github/workflows/build-frontend.yml: vitest (all 4 ex-shards in one run) + Vite build with VITE_MAPBOX_TOKEN from GHA secret + buildx push viktorbarzin/immoweb to {<8-char-sha>, latest}. - .woodpecker/{api,frontend}.yml renamed to .woodpecker/build-fallback-{api,frontend}.yml with `event: deployment` so they no longer fire on push — kept as manual-only fallback if GHA is down (CLAUDE.md convention from the 10 already-migrated projects). - .claude/CLAUDE.md: Git Workflow section updated to reflect GHA as primary + the dockerhub-pull-secret wiring. GHA repo secrets DOCKERHUB_TOKEN and MAPBOX_TOKEN populated from Vault fields viktor.dockerhub_registry_password and ci/global.wrongmove-mapbox-token respectively (DOCKERHUB_USERNAME=viktorbarzin was already set). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-18 19:11:31 +00:00 · 2026-05-18 19:11:31 +00:00 · c2acbf5d2e
commit c2acbf5d2e
parent 01a940b9b6
5 changed files with 176 additions and 6 deletions
--- a/.github/workflows/build-api.yml
+++ b/.github/workflows/build-api.yml
@ -0,0 +1,83 @@
+name: Build and Push API
+
+# Migrated from .woodpecker/api.yml on 2026-05-18. GHA builds + pushes to
+# DockerHub; Keel polls and rolls the cluster Deployments. No POST to
+# Woodpecker — Keel is the deploy mechanism now.
+
+on:
+  push:
+    branches: [master]
+    paths-ignore:
+      - 'frontend/**'
+      - '**.md'
+      - '.woodpecker/**'
+
+concurrency:
+  group: build-api-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  IMAGE: viktorbarzin/realestatecrawler
+
+jobs:
+  test-and-build:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.13'
+          cache: 'pip'
+
+      - name: System deps
+        run: sudo apt-get update && sudo apt-get install -y --no-install-recommends libglib2.0-0
+
+      - name: Python deps (mirror .woodpecker/api.yml install list)
+        run: |
+          python -m pip install --upgrade pip
+          pip install --quiet \
+            pytest pytest-asyncio pytest-cov httpx fakeredis aioresponses \
+            fastapi uvicorn sqlmodel sqlalchemy alembic pyjwt cryptography \
+            celery redis click aiohttp aiohttp-socks pillow numpy pytesseract \
+            opentelemetry-api opentelemetry-sdk opentelemetry-exporter-prometheus \
+            opentelemetry-instrumentation-fastapi opentelemetry-instrumentation-sqlalchemy \
+            python-dotenv webauthn apprise tenacity prometheus-client \
+            email-validator opencv-python-headless tqdm pandas cachetools watchdog
+
+      - name: Unit tests
+        run: pytest tests/unit/ -v --tb=short
+
+      - name: Integration / regression / e2e tests
+        run: pytest tests/integration/ tests/regression/ tests/e2e/ tests/test_listing_geojson.py -v --tb=short
+
+      - uses: docker/setup-buildx-action@v3
+
+      - uses: docker/login-action@v3
+        with:
+          username: viktorbarzin
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      # github.sha is the commit hash (40-char hex, controlled by git, not
+      # external input) — using it via env to satisfy the workflow-injection
+      # lint hook and keep things uniform.
+      - id: meta
+        env:
+          GIT_SHA: ${{ github.sha }}
+        run: echo "sha=$(printf '%s' "$GIT_SHA" | cut -c1-8)" >> "$GITHUB_OUTPUT"
+
+      # Pushes both :<8-char-sha> (traceability) and :latest (Keel watches this).
+      # Deployments reference :latest; Keel detects the digest bump and rolls.
+      - uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: Dockerfile
+          target: production
+          platforms: linux/amd64
+          push: true
+          tags: |
+            ${{ env.IMAGE }}:${{ steps.meta.outputs.sha }}
+            ${{ env.IMAGE }}:latest
+          cache-from: type=gha,scope=api
+          cache-to: type=gha,scope=api,mode=max